Tasnim Zotder

How does DoS and DDoS work?

Author: Tasnim Zotder
CloudSecurity

What is a DoS (Denial of Service) attack?

The DoS (Denial of Service) attack is a type of cyber-attack that aims to make a server or a network unavailable to its intended users. The attacker sends a large number of requests to the server or network, which makes it difficult for the server or network to respond to legitimate requests. As a result, the server or network becomes unavailable to its intended users.

There are two types of DoS attacks: a single-source attack (DoS) and a multi-source attack (DDoS). In single-source DoS attacks, the attacker sends a large number of requests from a single source. In multi-source DoS attacks, the attacker sends a large number of requests from multiple sources.

Categories of DoS Attack

Categories of DoS Attack

The DoS attacks can be categorized into two categories:

Buffer Overflow Attacks

In Buffer Overflow Attacks, the attacks result in the overflow of the memory buffer. The buffer is a temporary storage area in the memory of a computer. The memory buffer overflow can cause the server to consume all the resources of the server like CPU, memory, and disk space. As a result, the server becomes unavailable to its intended users.

Flood Attacks

In Flood Attacks, the attacker sends a large number of requests to the server or network to oversaturate the server capacity. The oversaturated server capacity can cause the server to crash. To perform a flood attack, the bandwidth of the attacker should be higher than the bandwidth of the server.


How does DoS Attack Work

dos-mechanism

The DoS attack works in the following steps:

  1. The attacker sends a large number of requests to the server or network.
  2. The server or network becomes unavailable to its intended users.

How does DDoS Attack Work

ddos-mechanism

The DDoS attack works in the following steps:

  1. The attacker sends a large number of requests to the server or network from multiple sources.
  2. The server or network becomes unavailable to its intended users.

Types of DoS and DDoS Attack

There are different types of DoS and DDoS attacks. The most common types of DoS and DDoS attacks are:

SYN Flood Attack

syn-flood-attack

SYN flood attack, also known as half-open attack is a type of DoS attack. In this attack, the attacker sends a large number of SYN requests to the server. The server responds to the SYN requests with SYN/ACK packets. The attacker does not respond to the SYN/ACK packets. As a result, the server runs out of resources to respond to legitimate requests. As a result, the server becomes unavailable to its intended users.

Steps to Perform SYN Flood Attack

The attacker performs the SYN flood attack in the following steps:

  1. The attacker sends a large number of SYN requests to the server. Often the requests are with a spoofed IP address.
  2. The server responds to the SYN requests with SYN/ACK packets and waits for the ACK packets from the sender.
  3. The server never receives the ACK packets from the attacker or the client with the spoofed IP address. As a result, the server runs out of resources to respond to legitimate requests.

Ping of Death Attack

ping-of-death-attack

In Ping of Death Attack, the attacker sends a large number of malformed packets to the server. The size of those malformed packets is larger than the maximum packet size allowed by the server. On transmission, the packets are fragmented into smaller allowed sizes. When the server tries to join the fragments, the total size exceeds the maximum allowed size and this can cause a memory buffer to overflow. As a result, the server can crash.


Motivations behind Denial-of-Service Attacks

Motivations behind DoS Attacks

The attackers perform the DoS attacks to achieve their motivation. Some of the common motivations behind DoS attacks are:

Business Competition

In the business world, there are many ways to compete with other companies. One of the most common ways is to offer a better product or service at a lower price. But some businesses take the least resistant path even if it is not morally correct. They try to make their competitors' products or services unavailable to the public. They do this by flooding their competitors' servers with requests. This way the customers of the competitor cannot access the product or service and the competitor's business suffers.

Financial Gain

Another reason for denial-of-service attacks is financial gain. In this case, the attacker is not trying to make a competitor's product or service unavailable. Instead, the attacker is trying to make a product or service unavailable to the public so that the attacker can sell the product or service at a higher price. For example, a hacker could attack a website that sells concert tickets. The hacker could make the website unavailable to the public. Then, the hacker could sell the tickets at a higher price to the people who were unable to buy tickets from the website.

Ideological Beliefs

Some people believe that they are doing the right thing by attacking a website. They believe that the website is doing something wrong and those are against the beliefs they hold. For example, a hacker could attack a website that sells weapons. The hacker could believe that the website is selling weapons to people who are going to use them to kill innocent people. By disabling the website, the hacker could prevent the sale of weapons to those people.

Revenge

Revenge is another reason for denial-of-service attacks. For example, if a hacker is fired from a company, the hacker could attack the company's website. The hacker could do this to make the company's website unavailable to the public. This way, the company's customers cannot access the company's website and the company's business suffers. The hacker could also attack the company's website to make the company's customers angry at the company. This way, the company's customers might not want to do business with the company in the future.

State Sponsored

Sometime the government of a country sponsors denial-of-service attacks. For example, the government of a country could attack a website that is owned by another country. This could be another country's important website, like a political website or space agency website. This way the attacker government could suppress the other country in contrast to the attacker country.


Preventing Denial of Service Attacks

There are several ways to prevent DoS and DDoS attacks. Some of the common ways to prevent DoS and DDoS attacks are:

Use of Web Application Firewall

WAF (Web Application Firewall) provides a layer of security between the web application and the internet. WAF provides security from malicious security attacks like SQL injection, cross-site scripting, and DoS attacks. WAF can be configured to block the requests from the IP addresses that are sending a large number of requests to the server.

Rate Limiting

Rate limiting is a technique to limit the number of requests that can be sent to the server. The rate limiting can be implemented at the application level or the network level. The rate limiting can be implemented using the following techniques:

  • IP-based rate limiting
  • User-based rate limiting
  • URL-based rate limiting

Use of CDN

CDN (Content Delivery Network) is a network of servers that are distributed across the globe. The CDN stores the static content of the website like images, CSS, and JavaScript files. When a user requests a page from the website, the CDN serves the static content from the nearest server to the user. The use of CDN can prevent DoS and DDoS attacks because the CDN servers are distributed across the globe. As a result, the CDN servers can handle a large number of requests from users.


References